Off-Topic > Off-Topic - Tiny Core Lounge

MC server on a thin client /notes

(1/1)

curaga:
So, I had the issue I needed several dozen gigabytes of FTP space for a week or two. What do?

:D Grab a thin client off the shelf, and install MC of course.


Notes on the setup, just in case they are useful for others.

HW: VXL Itona, Via C3 800Mhz, 64mb ram, 32mb flash. Idle 11W, max 35W.


bootlocal.sh:

--- Quote ---#!/bin/sh
# put other system startup commands here

ifconfig eth0 192.168.0.53/24 up
route add default gw 192.168.0.254 eth0
echo "nameserver 192.168.0.254" > /etc/resolv.conf

/opt/myfw.sh
/etc/init.d/dropbear start
bftpd -d -c /usr/local/etc/bftpd.conf

sleep 2

#umount /mnt/sda2
umount /mnt/hda1
--- End quote ---

In short, a static IP, firewall, SSH, FTP, and no boot volume mounted. If there's a power cut or other sudden shutdown, the only possible corruption is in the file area. All extensions are copied to ram.

myfw.sh:

--- Quote ---#!/bin/sh
# Begin basic-firewall
#
# This is a very basic firewall for normal users.
# It blocks all incoming traffic, allows all outgoing,
# and only allows incoming stuff when you started it (ie browsing)

# Insert connection-tracking modules
modprobe -q iptable_nat
modprobe -q nf_conntrack_ipv4
modprobe -q nf_conntrack_ftp
modprobe -q ipt_LOG

# Enable broadcast echo Protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Disable Source Routed Packets
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route

# Enable TCP SYN Cookie Protection
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

# Disable ICMP Redirect Acceptance
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects

# Don't send Redirect Messages
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects

# Drop Spoofed Packets coming in on an interface, where responses
# would result in the reply going out a different interface.
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter

# Log packets with impossible addresses.
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians

# be verbose on dynamic ip-addresses  (not needed in case of static IP)
echo 2 > /proc/sys/net/ipv4/ip_dynaddr

# disable Explicit Congestion Notification
# too many routers are still ignorant
echo 0 > /proc/sys/net/ipv4/tcp_ecn

# Set a known state
iptables -P INPUT   DROP
iptables -P FORWARD DROP
iptables -P OUTPUT  ACCEPT

# These lines are here in case rules are already in place and the
# script is ever rerun on the fly. We want to remove all rules and
# pre-existing user defined chains before we implement new rules.
iptables -F
iptables -X
iptables -Z

iptables -t nat -F

# Allow local-only connections
iptables -A INPUT  -i lo -j ACCEPT

# Permit answers on already established connections
# and permit new connections related to established ones
# (e.g. port mode ftp)
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -m recent --update --seconds 120 -j DROP

# Speed up some ftp / IM
iptables -A INPUT  -p tcp --dport 113 -j REJECT --reject-with tcp-reset

iptables -A INPUT -i eth0 -p tcp --dport 22 -s 192.168.0.0/24 -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport 22 -s 192.168.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 5772 -i eth0 -j ACCEPT
iptables -A INPUT -p udp --dport 5772 -i eth0 -j ACCEPT

iptables -A INPUT -i eth0 -m recent --set -j DROP

# Log everything else. What's Windows' latest exploitable vulnerability?
# iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "


# End of basic-firewall
--- End quote ---

That's just an edited basic-firewall, with the following highlights:
- SSH only allowed from LAN
- FTP on a non-standard port, that is also not used for any other service (consult /etc/services in iana-etc for these ports). Thus the likelihood for a port scan is very small.
- The two recent rules are for port scanning. I'm behind a router, but NAT isn't perfect, so defense in depth. Anything that is not to an accepted port is blacklisted for 2 minutes, and every hit during that time restarts the timer for that IP. In short, a very handy rule.


The ram use right after boot is somewhere about 17mb, even with some extensions loaded to ram. So far looking rather good for a quick server setup in some ~3 hours.

The data is on an usb-connected 2tb drive, formatted in one ext4 partition.


Only user tc can log in via ssh, and another user can only log in via ftp. (ie: tc can't log in via ftp).

Lee:
Thanks for sharing that.  I've had my ftp server down for a while and I'll refer to this when I put it back together.

Navigation

[0] Message Index

Go to full version